News

Microsoft Changes Direction on ADFS with Certificate-Based Authentication Preview

• By Kurt Mackie
• February 14, 2022

Microsoft announced a public preview of certificate-based authentication (CBA) for Azure Active Directory in a Monday announcement.

The CBA preview likely spells the end for Microsoft's Active Directory Federation Service (ADFS). ADFS is a Windows Server role that's typically used by organizations to federate with the Azure AD service. The use of a federated identity provider, like ADFS, used to be a requirement for Azure AD authentications with X.509 certificates. However, ADFS won't be needed when CBA is used.

CBA lets organizations authenticate with Azure AD using x.509 certificates without having to use any federation service.

"Azure AD CBA eliminates the need for federated AD FS, which helps simplify customer environments and reduce costs," Microsoft stated in an "Overview" document.

Organizations get the following benefits using CBA and Azure AD, per the document:

• No need for complex on-premises deployments or network configuration.
• Directly authenticate against Azure AD.
• No management overhead or cost.

Additionally, CBA will be free with all Azure AD subscriptions, including the free Azure AD accounts.

'Phishing-Resistant' Compliance
The use of Azure AD with CBA enables "phishing-resistant" authentications, allowing organizations to comply with the Biden administration's recent Executive Order 14028, Microsoft argued. The order is directed toward the security practices of federal agencies.

The CBA preview is available to both public users and government users. It'll work with the privileged identity verification (PIV) and common access card (CAC) "smart cards" that typically are used by government organizations for identity and access management.

End users encountering the Azure AD plus CBA combination get prompted to sign in with a certificate, rather than a password. If an end user isn't "in scope for CBA," then the authentication will fail.

Did ADFS Have Issues?
Possibly, ADFS was too complex to use, and it was notably abused in espionage attacks last year.

Microsoft may have developed CBA because of last year's widespread espionage attacks by the Nobelium (also called "Solorigate") group associated with Russia, which tapped into government and industry organizations. One of the avenues of those attacks was ADFS, which was abused to generate Security Assertion Markup Language (SAML) tokens and access Exchange Online e-mail traffic. This "golden SAML" approach allowed the attackers to bypass multifactor authentication and access any federated application, according to forensic analysis by security solutions company FireEye.

Shortly after the Nobelium attacks, Microsoft had suggested that organizations had just misconfigured ADFS, leading to the exploits. However, onlookers, such as security solutions firm CrowdStrike, had bluntly described ADFS as having "architectural limitations."

When I asked Alex Weinert, director of identity security at Microsoft, if ADFS were insecure to use, he replied in July 14 Twitter post that cloud authentication was a better security approach. If organizations were to use ADFS, though, they should also use a hardware security module (HSM) with it, as described in this Microsoft document, Weinert had indicated back then.